FTC settles with Lenovo over a built-in snooping software, $3.5 million fine

SAN FRANCISCO —  Lenovo, the world’s second largest computer manufacturer, has settled with the Federal Trade Commission over charges it shipped some of its laptops preloaded with software that compromised security protections in order to deliver ads to consumers. The company will also pay $3.5 million to 32 states that were part of the settlement.

The VisualDiscovery program caused pop-up ads to appear on the user's screen whenever his or her cursor hovered over a similar-looking product on a website. While only information about websites the user visited was transmitted, the program had the ability to access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information, the FTC alleged.

Consumers are frequently shown ads the correspond to their search or viewing history, but it's done via ad tracking software or cookies, which can be turned off on Facebook and Google or by deleting cookies. In the case of the VisualDiscovery software, the software hijacked encrypted web sessions.

“It’s the online equivalent of someone intercepting your mail, opening it, reading it, closing it back up and then putting it back in your mailbox,” said FTC acting chair Maureen Ohlhausen.

The program was created by an third-party advertising software company Superfish that was founded in Israel but headquartered in Palo Alto, Calif. It has since shut its doors.

As many as 750,000 laptops sold in the United States had the program installed from 2014 through 2015, the FTC says.

The FTC alleges that beginning in August of 2014, China-based Lenovo began selling laptops in the United States that came pre-installed with the software program. Consumers weren’t told the software was on their systems.

Beijing-based Lenovo made headlines in 2005 when it purchased IBM’s personal computing division for $1.75 billion, an acquisition that at the time was controversial as many feared it was a beachhead for other Chinese businesses. Today it is the world’s second-largest PC maker, with 20.4% of the global market, very close behind HP which has 21.8%, according to research firm IDC. In 2016 Lenovo's revenue was $43 billion.

Lenovo has published a list of computers that came with the software installed. Its popular ThinkPad laptops were not affected.
“Egregious does describe it,” said Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Purdue University.

“Sadly, other vendors may be doing something similar as the competition for ad revenue is huge, and the mechanisms are not that difficult to build in (or get prepackaged),” he said.

The snooping software was first discovered by and reported by Chris Palmer from the Google Chrome security team.

As part of the settlement, Lenovo must now get consumers' permission before pre-installing any software that injects advertising into consumers' Internet browsing sessions or that transmits sensitive information from their systems to third parties. Lenovo must also implement a comprehensive software security program to test all software the comes preloaded onto its laptops, and that security program will be subject to third-party audits.

In a statement, Lenovo said it "disagrees" with allegations contained in these complaints but is pleased to bring the matter to a close.
In order to be able to show pop-up ads on encrypted websites, the VisualDiscovery program used an insecure method to replace the digital certificates for the websites with its own certificates. VisualDiscovery did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop, the FTC said.

That meant that even if a consumer went to a website that began with https://, which would lead them to believe they were on a secure and encrypted site, in fact the security had been breached.
“The harm was consumers were buying computers whose basic security features were undermined without their knowledge or consent,” said Ohlhausen.
Lenovo stopped installing the software over a year ago, and many antivirus programs were updated to identify the program and remove it was news about the insecurity broke.

Still, it’s possible that it still exists on some laptops, the FTC said. Lenovo has published instructions on how to remove the Superfish software on its website.

Neither Lenovo nor the FTC are aware of any actual instances of a third party exploiting the vulnerabilities the VisualDiscovery software created to steal user’s communications.

Read More >>

Read More

China pledges neutrality unless US strikes North Korea first

China’s government says it would remain neutral if North Korea attacks the United States, but warned it would defend its Asian neighbor if the U.S. strikes first and tries to overthrow Kim Jong Un’s regime, Chinese state media said Friday.

“If the U.S. and South Korea carry out strikes and try to overthrow the North Korean regime, and change the political pattern of the Korean Peninsula, China will prevent them from doing so,” reported the Global Times, a daily Chinese newspaper controlled by the Communist Party.

Meanwhile, other Asia-Pacific countries have come out in support of the United States in the event of a North Korean nuclear attack.

Japan’s defense minister, Itsunori Onodera, said this week that his nation’s military was ready to shoot down North Korean nuclear missiles, if necessary.

In Australia, Prime Minister Malcolm Turnbull described his country and the U.S. as being “joined at the hip,” the South China Morning Post reported.

“If there is an attack on the U.S., the Anzus Treaty would be invoked,” and Australia would aid the U.S., Turnbull told Australia’s 3AW radio Friday morning. Turnbull was referring to a collective security agreement between the United States, Australia and New Zealand.

The Chinese response to the heightened tensions between the U.S. and North Korea followed a number of hot-headed proclamations.

North Korea has threatened the U.S. with a nuclear attack on Guam, a U.S. territory south of Japan, after President Donald Trump said additional threats against the country or its allies would be met with “fire and fury.”

On Thursday, the president doubled-down on the remarks, saying his original comment possibly “wasn’t tough enough.”

In a separate appearance, Trump added: “Let’s see what [Kim Jong Un] does with Guam. He does something in Guam, it will be an event the likes of which nobody has seen before – what will happen in North Korea.”

One North Korean government official, meanwhile, accused Trump of “going senile,” Fox News reported.

Read More >>

Read More

Chinese hack attacks against US companies persist despite leader's pledge, report says

Read More >>

WASHINGTON –  Chinese hacking attempts on American corporate intellectual property have occurred with regularity over the past three weeks, suggesting that China almost immediately began violating its newly minted cyberagreement with the United States, according to a newly published analysis by a cybersecurity company with close ties to the U.S. government.

The Irvine, California-based company, CrowdStrike, says it documented seven Chinese cyberattacks against U.S. technology and pharmaceuticals companies "where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national security-related intelligence collection."

"We've seen no change in behavior," said Dmitri Alperovich, a founder of CrowdStrike who wrote one of the first public accounts of commercial cyberespionage linked to China in 2011.

One attack came on Sept. 26, CrowdStrike says, the day after President Barack Obama and Chinese President Xi Jinping announced their deal in the White House Rose Garden. CrowdStrike, which employs former FBI and National Security Agency cyberexperts, did not name the corporate victims, citing client confidentiality. And the company says it detected and thwarted the attacks before any corporate secrets were stolen.

A senior Obama administration official, speaking on condition of anonymity because he was not allowed to discuss the matter publicly, said officials are aware of the report but would not comment on its conclusions. The official did not dispute them, however.

The U.S. will continue to directly raise concerns regarding cybersecurity with the Chinese, monitor the country's cyberactivities closely and press China to abide by all of its commitments, the official added.

The U.S.-China agreement forged last month does not prohibit cyberspying for national security purposes, but it bans economic espionage designed to steal trade secrets for the benefit of competitors. That is something the U.S. says it doesn't do, but Western intelligence agencies have documented such attacks by China on a massive scale for years.

China denies engaging in such behavior, but threats of U.S. sanctions led Chinese officials to conduct a flurry of last-minute negotiations which led to the deal.

CrowdStrike on Monday released a timeline of recent intrusions linked to China that it says it documented against "commercial entities that fit squarely within the hacking prohibitions covered under the cyberagreement."

The intrusion attempts are continuing, the company says, "with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures."

CrowdStrike did not explain in detail how it attributes the intrusions to China, an omission that is likely to draw criticism, given the ability of hackers to disguise their origins. But the company has a long track record of gathering intelligence on Chinese hacking groups, and U.S. intelligence officials have often pointed to the company's work.

"We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, including Deep Panda, which CrowdStrike has tracked for many years breaking into national security targets of strategic importance to China," Alperovich wrote in a blog posting that laid out his findings.

The hacking group known as Deep Panda, which has been linked to the Chinese military, is believed by many researchers to have carried out the attack on insurer Anthem Health earlier this year.

CrowdStrike and other companies have tracked Deep Panda back to China based on the malware and techniques it uses, its working hours and other intelligence.

In 2013, another cybersecurity company, Mandiant, published a report exposing what it said was a hacking unit linked to China's People's Liberation Army, including identifying the building housing the unit in Beijing. Those findings were later validated by American intelligence officials.
Read More >>

Read More